Reverse Corporate Alchemy: Turning Gold into Lead

During the morning of Wednesday 29 April, 2009 I was flatly told, with no recourse, that my CIBC Aerogold Visa for Business card was being cancelled immediately because it, and many other cards, had been compromised by some unspecified third parties.

A quick web search indicates an almost endless litany of incursions by hackers into credit card processors, including Heartland Payment Systems or Another Unspecified Processor. Although perhaps just bad luck for me, shouldn’t I be delighted that CIBC is looking out for my interests using its highly sophisticated fraud detection software and systems? Well, maybe, but …

As an almost 15 year business customer of CIBC Aerogold VISA, I chose this product because it claims to offer the highest level of customer service aimed at a global and sophisticated business travelling clientele. Based on that, my company uses that card heavily for both a travel and payment card, including many monthly recurring payments. As a long term customer, my assessment of the VISA response to a problem inside their own payments ecosystem was inadequate because:

When I asked for further clarification, the VISA Fraud Department representative seemed quite evasive. Surprisingly, there was an apparent inability to give background information which any customer would expect when their service relationship was curtailed. Simply saying “We’re terminating your card immediately, but it’s nothing to do with you” isn’t an acceptable customer response, particularly for a so-called Gold product.

The lack of encryption and other security mechanisms in CIBC’s payment systems has been a longstanding gap. For example, the classic magstripe can be easily cloned. Against these threats, Smart/CHIP cards have been in use in Europe for a long time and by some processors in Canada for over 5 years. Why did CIBC take so long to catch up with the global security benchmark? As a footnote, on last year’s regular card replacement, I had only 1.5 years to expiration date, instead of the normal 3 or 4, presumably to allow CIBC to move to CHIP card technology. Adding insult to injury, when I picked up my new card with new number today, the expiry date remained what is now 5+ months in the future. This, too, is a major customer inconvenience as I will have to, once again, change all of my automated payments yet again, later this year.

Probably the biggest customer service shortcoming was that my card was “shut off” between Wednesday and Friday, a period of almost 3 days that happens to be over the month change when most of my recurring business payments happen. Perhaps the only worse situation I could imagine is if this had occurred while I was travelling. In resolving their internal security problem, clearly CIBC Visa took no steps to escalate card replacements for their best customers. As I mentioned, their idea of customer service was to simply pass the problem onto their customers – in this case to me.

There have been earlier instances of poor service from CIBC. One memorable case occurred at a hotel checkout in Berlin at 6:00 am at the end of an international conference when I was racing to get to the airport. My charge was denied by the hotel. Apparently, the Fair Isaac (now FICO) fraud decision management software went a little hyperactive that day because it didn’t think I was in Berlin. Again, although I almost missed the window to get to the airport, VISA didn’t really give me the choice of a good workaround for a legitimate customer transaction.

To be clear, I support robust security measures and fraud detection in the payments industry. My problem stems from the way that these companies service their customers when things go wrong.

So, after almost 15 years with CIBC Aerogold VISA for Business, I’m looking at alternatives.

Does anyone have any great suggestions? Or perhaps you have your own credit card security horror stories. Feel free to comment…